@@ -272,6 +272,7 @@ qemuarm64-secureboot:
TOOLCHAINS: [gcc, clang]
TCLIBC: [glibc, musl]
TS: [none, qemuarm64-secureboot-ts]
+ UEFISB: [none, uefi-secureboot]
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
new file mode 100644
@@ -0,0 +1,37 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
+
+# UEFI Secure Boot: A mechanism to ensure that only trusted software is executed
+# during the boot process.
+
+header:
+ version: 14
+ includes:
+ - ci/meta-openembedded.yml
+ - ci/meta-secure-core.yml
+
+local_conf_header:
+ uefi_secureboot: |
+ SBSIGN_KEYS_DIR = "${TOPDIR}/sbkeys"
+ BB_ENV_PASSTHROUGH_ADDITIONS = "SBSIGN_KEYS_DIR"
+
+ # Detected by passing kernel parameter
+ QB_KERNEL_ROOT = ""
+
+ # kernel is in the image, should not be loaded separately
+ QB_DEFAULT_KERNEL = "none"
+
+ WKS_FILE = "efi-disk.wks.in"
+ KERNEL_IMAGETYPE = "Image"
+
+ MACHINE_FEATURES:append = " efi uefi-secureboot"
+
+ EFI_PROVIDER = "systemd-boot"
+
+ # Use systemd as the init system
+ INIT_MANAGER = "systemd"
+ DISTRO_FEATURES:append = " systemd"
+ DISTRO_FEATURES_NATIVE:append = " systemd"
+
+ IMAGE_INSTALL:append = " systemd systemd-boot util-linux coreutils efivar"
+
+ TEST_SUITES:append = " uefi_secureboot"
new file mode 100644
@@ -0,0 +1,29 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.oetimeout import OETimeout
+
+
+class UEFI_SB_TestSuite(OERuntimeTestCase):
+ """
+ Validate Secure Boot is Enabled
+ """
+
+ @OETimeout(1300)
+ def test_uefi_secureboot(self):
+ # Validate Secure Boot is enabled by checking
+ # 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot.
+ # The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known
+ # identifier for the Secure Boot UEFI variable. By checking the value of
+ # this variable, specifically
+ # '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine
+ # whether Secure Boot is enabled or not. This variable is set by the
+ # UEFI firmware to indicate the current Secure Boot state. If the
+ # variable is set to a value of '0x1' (or '1'), it indicates that Secure
+ # Boot is enabled. If the variable is set to a value of '0x0' (or '0'),
+ # it indicates that Secure Boot is disabled.
+ cmd = "efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot"
+ status, output = self.target.run(cmd, timeout=120)
+ self.assertEqual(output, "1", msg="\n".join([cmd, output]))